Firewall and Haproxy

Hey All,

When adding hosts to a F/W behind a VIP (keepalived for example) to which Haproxy is bound, should just the VIP be added to the F/W or would all member hosts behind Haproxy need to be added as well?

If all member hosts behind haproxy need to be added, why?

Only reason I can think of adding individual host members is for troubleshooting purposes. Other then that, can’t think of a valid reason why each member host would connect separately.